January 13, 2023 – Not since 2002 and the passing of the massively consequential Sarbanes-Oxley Act, when the Security and Exchange Commission (SEC) required America’s boards of directors to appoint chief financial officers and form audit committees, has there been such a critical impending change to board skill-sets and reporting. The SEC has once again identified a serious gap in board expertise, governance, planning, accountability, public disclosure and response – this time in the areas of cybersecurity and risk assessment – and is making regulations to address them. The changes are expected to be finalized by the end of the year.
The SEC’s proposed amendment requires boards to begin reporting about material incidents and providing updates; initiating and reporting on policies and procedures to identify and manage those risks; reporting on their impact to the bottom line; reporting their resolution; and notifying investors about those incidents. Thus far, the SEC has only talked about the specific outcomes they want to see implemented and not provided specifics about how companies can best satisfy the new requirements.
DHR Global has been actively focusing on what the right cybersecurity expertise encompasses at the board level, how it will dovetail with other board positions such as the chief information officer, and is recommending its clients get ahead of the new rules by recruiting highly qualified chief information security officers (CISO) to take their seats at the table as board directors. “Thanks to the SEC’s new cybersecurity requirements and the growing threats evolving from digital technology and the use cases and business models they enable, there is a huge opportunity for CISOs to broaden their roles into the boardroom,” said the search firm in a new report.
The Ideal CISO Board Member
According to DHR’s proprietary research, to date only seven of the 500 largest public companies in the U.S. have an experienced CISO currently sitting on their corporate board of directors.
“Among our clients we are increasingly seeing that cybersecurity is becoming a new agenda item at every board meeting,” said Heather Smith, partner in the board and CEO practice at DHR. “Our research shows that the vast majority of boards do not have a CISO among them. As such, non-technical board members are called on to provide guidance on cybersecurity risk. It’s becoming apparent that there is a specific cybersecurity skill-set that we are recruiting for to meet both the current need and the impending SEC requirement.”
“The ideal board CISO provides a competitive advantage and brings relevant, recent experience from the last two years, has a long lens when it comes to the latest cyber vulnerabilities and a strategic, proactive outlook, and is able to communicate effectively regarding what risk management entails at the board level,” said DHR’s Kathryn Ullrich, managing partner in the advanced technology practice. “They understand IT security but also the company’s strategy and how IT should support that strategy.”
What has caused this massive threat and critical omission at the board level? Digital technologies and their impact on the modernization of networks and infrastructures are at the heart of the issue, according to DHR. “Already in play, these changes have been sped up out of necessity by business closures and remote workers due to COVID, workplace re-openings, and a newly hybrid workforce, supply chain disruptions, applications and operations moving to the cloud, a slew of new internet of things devices and multi-domain networks in which operations technology and information technology networks are merging – all have meant that there are many new and ever-evolving avenues for hackers to take into the heart of economies, businesses and everyday life,” said the report. According to the World Economic Forum, 70 percent of economic growth is now being driven by digital technologies.
The numbers, says DHR, are startling: Cyber-attackers can breach 93 percent of company networks, according to new research
from Positive Technologies; cyberattacks in 2021 increased by 50 percent when compared to 2020, as reported by cybersecurity
firm Check Point; cybercrime cost U.S. businesses more than $6.9 billion in 2021, the FBI told Newsweek in March 2022; and 29 percent of CEOs and CISOs and 40 percent of chief security officers admit their organizations are unprepared for a rapidly changing threat landscape, reports Thought Lab from their 2022 cybersecurity study.
“Today’s cybersecurity threat takes many forms and can vary by industry,” said the DHR study. “Among this year’s top issues according to CSO Magazine: ransomware, cryptomining/cryptojacking, deep fakes, video conferencing attacks, XDR
(extended detection and response across endpoints, email, identity and access management, network management and cloud security), operational attacks against IoT and OT, and supply chain attacks such as the recent Solar Winds breach.”
In its study, DHR points to a wide range of potential targets:
- Education: Outdated technology, massive stores of data, and hybrid campuses are putting education at risk. Data breaches, phishing, and ransomware are the top methods for attack here.
- Healthcare: In healthcare, it is the vast number of new medical and IoT devices now on the network that are most at risk with hackers targeting patient care devices and causing distributed denial of service attacks demanding ransom and holding hospitals hostage.
- Manufacturing: In manufacturing, as multiple OT, IT, and cloud networks connect for the first time, the lack of end-to-end security is causing issues as new, wireless endpoints and legacy systems suffer from weak encryption impacting production and distribution.
- Energy: In energy, it is inefficiencies in identity and access management and a lack of system integration that causes vulnerabilities in the supply chain.
- Financial Services: Financial services continue to be threatened by data breaches from ransomware, phishing, web application and vulnerability exploitation and denial of service attacks.